aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

l3proto: add unit tests

Browse Source 
This patch adds a series of unit tests. First two check test the keyword
by checking packet on signatures using it. Last one adds is here to check
that there is no interaction of l3_proto and ip_proto.
pull/49/merge
Eric Leblond 13 years ago committed by Victor Julien
parent 71b4257bc2
commit b58ecd833a
1 changed files with 277 additions and 1 deletions
Show Stats Download Patch File Download Diff File

278
src/detect-l3proto.c
Unescape Escape View File

@ -46,13 +46,15 @@
static int DetectL3ProtoSetup(DetectEngineCtx *, Signature *, char *);
void DetectL3protoRegisterTests(void);
void DetectL3ProtoRegister(void)
{
sigmatch_table[DETECT_L3PROTO].name = "l3_proto";
sigmatch_table[DETECT_L3PROTO].Match = NULL;
sigmatch_table[DETECT_L3PROTO].Setup = DetectL3ProtoSetup;
sigmatch_table[DETECT_L3PROTO].Free = NULL;
sigmatch_table[DETECT_L3PROTO].RegisterTests = NULL;
sigmatch_table[DETECT_L3PROTO].RegisterTests = DetectL3protoRegisterTests;
return;
}
@ -115,3 +117,277 @@ error:
SCFree(str);
return -1;
}
#ifdef UNITTESTS
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
/**
* \test DetectL3protoTestSig01 is a test for checking the working of ttl keyword
* by setting up the signature and later testing its working by matching
* the received packet against the sig.
*/
static int DetectL3protoTestSig1(void) {
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (p == NULL)
return 0;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
IPV4Hdr ip4h;
memset(&th_v, 0, sizeof(th_v));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->proto = IPPROTO_TCP;
p->ip4h = &ip4h;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:2;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1) == 0) {
printf("sid 1 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 2)) {
printf("sid 2 alerted, but should not have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 3) == 0) {
printf("sid 3 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 4)) {
printf("sid 4 alerted, but should not have: ");
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
SCFree(p);
return result;
}
/**
* \test DetectL3protoTestSig02 is a test for checking the working of l3proto keyword
* by setting up the signature and later testing its working by matching
* the received IPv6 packet against the sig.
*/
static int DetectL3protoTestSig2(void) {
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (p == NULL)
return 0;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
IPV6Hdr ip6h;
memset(&th_v, 0, sizeof(th_v));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
p->src.family = AF_INET6;
p->dst.family = AF_INET6;
p->proto = IPPROTO_TCP;
p->ip6h = &ip6h;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:4;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sid 1 alerted, but should not have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 2) == 0) {
printf("sid 2 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 3)) {
printf("sid 3 alerted, but should not have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 4) == 0) {
printf("sid 4 did not alert, but should have: ");
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
SCFree(p);
return result;
}
/**
* \test DetectL3protoTestSig03 is a test for checking the working of l3proto keyword
* in conjonction with ip_proto keyword.
*/
static int DetectL3protoTestSig3(void) {
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (p == NULL)
return 0;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
IPV6Hdr ip6h;
memset(&th_v, 0, sizeof(th_v));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
p->src.family = AF_INET6;
p->dst.family = AF_INET6;
p->proto = IPPROTO_TCP;
p->ip6h = &ip6h;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv4 and ip_proto udp\"; l3_proto:ipv4; ip_proto:17; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6 and ip_proto udp\"; l3_proto:ipv6; ip_proto:17; sid:2;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip4 and ip_proto tcp\"; l3_proto:ipv4; ip_proto:6; sid:3;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6 and ip_proto tcp\"; l3_proto:ipv6; ip_proto:6; sid:4;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sid 1 alerted, but should not have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 2)) {
printf("sid 2 alerted, but should not have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 3)) {
printf("sid 3 alerted, but should not have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 4) == 0) {
printf("sid 4 did not alert, but should have: ");
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
SCFree(p);
return result;
}
#endif /* UNITTESTS */
/**
* \brief this function registers unit tests for DetectL3proto
*/
void DetectL3protoRegisterTests(void) {
#ifdef UNITTESTS
UtRegisterTest("DetectL3protoTestSig1", DetectL3protoTestSig1, 1);
UtRegisterTest("DetectL3protoTestSig2", DetectL3protoTestSig2, 1);
UtRegisterTest("DetectL3protoTestSig3", DetectL3protoTestSig3, 1);
#endif /* UNITTESTS */
}

Write Preview
Loading…
Cancel
Save